We have a daemon that is launched by launchd, always running in the background and running as root. The daemon is installed to
/Library/LaunchDaemons.
To reduce its attack surface we want to move some functionality into another helper process. It doesn't have to be running as root, but since the client (the LaunchDaemon) is running as root and in the launchd context, we created another LaunchDaemon that is launched on-demand and uses the MachService key to advertise its Mach service. It is also installed to
/Library/LaunchDaemons.
The sandboxed daemon has little functionality in it, and its entitlements are just com.apple.security.app-sandbox. We use NSXPC to communicate between the the non-sandboxed daemon and the sandboxed daemon. The sandboxed helper daemon launches as expected.
However the sandboxed application exits immediately on 10.14 with the following crash:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Illegal instruction: 4
Termination Reason: Namespace SIGNAL, Code 0x4
Terminating Process: exc handler [1721]
External Modification Warnings:
Debugger attached to process.
Application Specific Information:
dyld: launch, running initializers
/usr/lib/libSystem.B.dylib
Sandbox registration internal error: Incoming message euid:1 does not match secinitd uid:0.
Application Specific Signatures:
Internal error: Incoming message euid:1 does not match secinitd uid:0.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_secinit.dylib 0x00007fff5b6e6b2a _libsecinit_setup_secinitd_client + 1929
1 libsystem_secinit.dylib 0x00007fff5b6e6340 _libsecinit_initialize_once + 13
2 libdispatch.dylib 0x00007fff5b49e63d _dispatch_client_callout + 8
3 libdispatch.dylib 0x00007fff5b49fd4c _dispatch_once_callout + 20
4 libsystem_secinit.dylib 0x00007fff5b6e6331 _libsecinit_initializer + 79
5 libSystem.B.dylib 0x00007fff582b09d4 libSystem_initializer + 136
6 dyld 0x0000000108408592 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 506
If we remove the entielements from the sandboxed helper, thus making it non-sandboxed, it works fine but this is obviously not the intent.
Any ideas?